Na Ruan,Mingli Wu,Shiheng Ma,Haojin Zhu,Weijia Jia,Songyang Wu

DOI: https://doi.org/10.1587/transinf.2016inp0023

2017-01-01

IEICE Transactions on Information and Systems

Abstract:As a new generation voice service, Voice over LTE (VoLTE) has attracted worldwide attentions in both the academia and industry. Different from the traditional voice call based on circuit-switched (CS), VoLTE evolves into the packet-switched (PS) field, which has long been open to the public. Though designed rigorously, similar to VoIP services, VoLTE also suffers from SIP (Session Initiation Protocal) flooding attacks. Due to the high performance requirement, the SIP flooding attacks in VoLTE is more difficult to defend than that in traditional VoIP service. In this paper, enlightened by Counting Bloom Filter (CBF), we design a versatile CBF-like structure, PFilter, to detect the flooding anomalies. Compared with previous relevant works, our scheme gains advantages in many aspects including detection of low-rate flooding attack and stealthy flooding attack. Moreover, not only can our scheme detect the attacks with high accuracy, but also find out the attackers to ensure normal operation of VoLTE by eliminating their negative effects. Extensive experiments are performed to well evaluate the performance of the proposed scheme.

Yanan Zhang,Jingru Xing,Yaozong Xu,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/978-981-97-5606-3_22

2024-01-01

Abstract:Named Data Networking (NDN) is one of the potential Future Internet Architectures, shifting from the traditional host-centric architecture to a data-centric one. Collusion Interest Flooding Attacks (CIFAs) is a new type of attack that intermittently sending malicious Interests to overwhelm the Pending Interest Table (PIT). Collusive producers working with the attackers respond to these malicious Interest packets just before they expire in the PIT, thereby disguising their attacks as legitimate, which makes detection methods against Interest Flooding Attacks (IFAs) unable to identify CIFAs. This paper proposes the DM-CIFA scheme, which aggregates decision tree and K-means algorithm for effective detection and mitigation of CIFAs. Firstly, a decision tree is trained to monitor the number of entries in the PIT, and the throughput of Interest and Data packets of the router for attack detection. Then the malicious prefix identification algorithm, based on the K-means algorithm, is activated after an attack is detected. Additionally, the bottleneck router mitigating CIFAs by informing the next hop router with a signed Interest packet (SIP) that carry the malicious prefixes to pinpoint attackers and reject forwarding malicious Interests. The simulation results demonstrate the proposed DM-CIFA has high sensitivity towards CIFAs and the capability to effectively mitigate the attack's effects on the NDN.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Shen Zhang,Lu Zhou,MingLi Wu,Zhushou Tang,Na Ruan,Haojin Zhu

DOI: https://doi.org/10.1109/vtcfall.2016.7880916

2016-01-01

Abstract:Due to the worldwide deployment of Long Term Evolution (LTE), the fourth-generation (4G) mobile cellular networking technology, Voice over LTE (VoLTE) [2] has been also well developed in past few years. It exploits packet-switched network to provide call services instead of the traditional circuit-switched telephony. Similar to the Voice over IP (VoIP), VoLTE adopts Session Initiation Protocol (SIP) to achieve some control functions. Therefore, it means attack techniques against the SIP will also be effective against VoLTE devices.In this paper, we propose a novel device-side SIP-aware detecting system against two kinds of SIP attacks, SIP message flooding attack and malformed SIP message attack. To detect the message flooding attack, we set threshold for the traffic of SIP message received from VoLTE interface within one minute. And for the malformed message attack, we provide the structure and formalization rules of SIP messages to detect malformed SIP messages by utilizing ontology descriptions.This paper presents the design and implementation of this detecting system. The simulation test shows that this system will improve the security level of VoLTE service in real applications.

Na Ruan,Qi Hu,Lei Gao,Haojin Zhu,Qingshui Xue,Weijia Jia,Jingyu Cui

DOI: https://doi.org/10.1109/glocom.2016.7841555

2016-01-01

Abstract:With rapid growth of LTE network and Voice-over-LTE(VoLTE), detecting and preventing security threats like Denial of Service attack becomes a necessary and urgent requirement. VoLTE is an voice solution based on Internet Protocol and 4G LTE technology, at the same time exposing many vulnerabilities when using packet-switched network. There are many heavy weighted detection systems using content analysis, while high demands of computing resource constraint their practical use. In this paper, we purpose a lightweight detection scheme for VoLTE network security, based on analysis of data traffic flow. To optimize parameters in our scheme, we formulate a Bayesian game model. Bayesian game has the features of incomplete information and asymmetry, similar to practical attack-defense model. Besides, The dynamic Bayesian game is more realistic, since both sides can update believes about their opponents. Simulation results provide some guidances on parameter selection, as well as verifying the superiority of our scheme.

Jianhong Lin,Tianyu Chen,Peng Wang,Chunming Wu

DOI: https://doi.org/10.1109/imcec55388.2022.10019885

2022-01-01

Abstract:With the rapid development of 5G technology, the number of telecom network users is exploding, which brings great pressure to the governance of the whole network. Voice spam, such as fraud, harassment and other illegal voice calls, not only occupy communication resources, but also disturb people's daily life and social order. In light of this, considering different scenario elements, this paper proposes a governance framework that considers time, location and user attributes simultaneously to identify and intercept voice spam. Specifically, we firstly use decision tree algorithm to recognize and classify voice spam in telecom network. Then, based on the frequent itemset theory, the malicious phone IDs are further analyzed and revealed. The telephone numbers are divided into white list, grey list, personal blacklist and group blacklist. Through simulation analysis and practical application in Zhengzhou area, the framework proposed can accurately detect voice spam and timely remind users of potential risks, providing users with secure voice services.

Gonglong Chen,Wei Dong

DOI: https://doi.org/10.1145/3418210

2020-01-01

ACM Transactions on Sensor Networks

Abstract:Recently, Cross-Technology Communication (CTC), allowing the direct communication among heterogeneous devices with incompatible physical layers, has attracted much research attention. Many efficient CTC protocols have been proposed to demonstrate its promise in IoT applications. However, the applications built upon CTC will be significantly impaired when CTC suffers from malicious attacks such as jamming or sniffing. In this article, we implement a reactive jamming system, JamCloak, that can attack most existing CTC protocols. To this end, we first propose a taxonomy of the existing CTC protocols. Then based on the taxonomy, we extract essential features to train a CTC detection model, and estimate the parameters that can efficiently jam CTC links. Experimental results show that JamCloak consistently achieves 94.7% of classification accuracy on average in both Line-of-Sight and Non-Line-of-Sight scenarios. We also apply JamCloak to attack three existing CTC protocols: WiZig, Esense and EMF. Results show that JamCloak can significantly reduce PDR (packet delivery ratio) by 80.8% on average in practical environments. In the meantime, JamCloak’s jamming gain is more than 1.78× higher than the existing reactive jammer. In addition, we propose a practical countermeasure against reactive jamming attacks over CTC links like JamCloak. Results show that our approach significantly improves the jamming detection accuracy by 91.2% on average than the existing approach, and effectively decreases the reduction in packet delivery ratio to 1.7%.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Linhong Guo,Xiaosong Zhang

DOI: https://doi.org/10.1088/1742-6596/1325/1/012108

2019-01-01

Journal of Physics Conference Series

Abstract:VoLTE (voice over LTE) is widely popular and the potential target for covert communications. The transmission of continuous and large amounts of data over VoLTE enables the construction of a covert channel. The existing covert channel construction scheme based on IPD (inter-packet delay) cannot be applied to VoLTE due to the particularity of the IPD of VoLTE traffics. In this paper, we propose a covert channel with intelligent confrontation for VoLTE traffic. It modulates messages in the relative relationship of voice and video packets based on learning of the characteristics of active attack traffic. The experimental results indicate that the proposed covert channel is undetectable and robust.

Changhua Sun,Jindou Fan,Bin Liu

DOI: https://doi.org/10.1109/CHINACOM.2007.4469411

2007-01-01

Abstract:We propose a more robust scheme to detect SYN flooding attacks. Existing methods for detecting SYN flooding are based on the protocol behavior of TCP SYN-FIN (RST) or SYN-ACK pairs, as normally the number of SYN packets is equal to that of FIN (added with RST) packets, or ACK packets in the handshake. When SYN flood starts, there will be more SYN packets. However, the attacker can avoid the detection by sending the FIN or RST packets (ACK packets) in conjunction with the SYN packets. To make the detection scheme more robust, we record the flow information of SYN packets in a counting Bloom Filter, and count the FIN (RST) packets according to the Bloom Filter. In addition, the Change Point Detection method based on a non-parametric Cumulative Sum algorithm is applied to make the detection mechanism much more generally applicable. Through trace-driven simulations, we show our detection scheme is more efficient and robust in detecting various SYN flooding attacks. More importantly, our scheme can be easily deployed at ISP's edge routers.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Wenhai Li,Wei Guo,Xiaolei Luo,Xiang Li

DOI: https://doi.org/10.1109/apscc.2010.84

2010-01-01

Abstract:As the core infrastructure of the VoIP, IMS and IPTV, SIP based network is now increasingly been deployed throughout the world. Due mainly to the relatively high flow rate and the exorbitant session maintenance, SIP servers are similarly susceptible to the Denial-of-Service (DoS) Attacks above the IP stack, especially when the Distributed spoofing URI is considered. A hybrid SIP DoS detection method is proposed in this paper to handle three representative flooding attacks, and the CUSUM statistical detection founded on the adaptive sliding window based acquisition is adopted for achieving high accuracy and low latency. Experimental result shows that this method achieves a high rate, low latency and low false alarm rate of SIP flooding detection.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Baojiang Cui,Shengbo Feng,Qinshu Xiao,Ming Li

DOI: https://doi.org/10.1109/bwcca.2015.42

2015-01-01

Abstract:Through the analysis of LTE protocol and its security threat, this paper profoundly researches the security mechanism of RLC layer protocol in LTE protocol and the security detection technology of LTE protocol. In this paper, we use the improved fuzzing test technology to detect the potential security vulnerabilities in LTE protocol. In order to improve the efficiency, this paper improves the random Fuzzing test technology, proposes a new data mutation algorithm based on protocol format. By comparing the number of test cases, this paper verified the validity of the algorithm on the theory. According to the algorithm, we designed the fuzzing test framework, and detected LTE protocol based on N3-3 simulation platform. Through detection we have found a security defect in the RLC layer protocol, and it is verified that the security defect detection method of LTE protocol based on format fuzzing test is effective.

Hancun Sun,Xu Chen,Yantian Luo,Wei Feng,Yunfei Chen,Ning Ge

DOI: https://doi.org/10.1109/icct59356.2023.10419782

2023-01-01

Abstract:Link flooding attack (LFA) is a kind of stealthy distributed denial of service (DDoS) attack that has been commonly exploited by attackers to disconnect victims from the Internet by congesting critical links on the paths. With the development of 5G, a massive number of insecure Internet of Things (IoT) devices have been connected to the network, which significantly increases the risk of LFA. Detecting and mitigating LFA is difficult since malicious traffic is of low speed and protocol confirming from legitimate traffic. Traditional LFA detection methods face the challenge of high complexity. Due to the numerous attack sources of LFA, the mainstream traffic engineering-based mitigation methods introduce high signaling communication costs. To over-come these challenges, we propose a novel LFA defense system in software defined networking (SDN) architecture that consists of a distributed relative entropy-based LFA detection method and an optimized rerouting method for LFA mitigation. This framework is lightweight to implement. It can not only reduce the communication overhead of signaling transmission in mitigation, but also avoid the cascading congestion of other links after rerouting. We verify our detection and mitigation method in an experimental testbed. Numerical results show that our method can detect and mitigate LFAs effectively with low cost.

Xin Wang,Xiaobo Ma,Jian Qu

DOI: https://doi.org/10.1109/dsa52907.2021.00026

2021-01-01

Abstract:In recent years, a new type of DDoS attacks against backbone routing links have appeared. They paralyze the communication network of a large area by directly congesting the key routing links concerning the network accessibility of the area. This new type of DDoS attacks make it difficult for traditional countermeasures to take effect. This paper proposes and implements an attack detection method based on non-cooperative active measurement. Experiments show that our detection method can efficiently perceive changes of network link performance and assist in identifying such new DDoS attacks. In our testbed, the network anomaly detection accuracy can reach 93.7%.

Zishuai Cheng,Mihai Ordean,Flavio Garcia,Baojiang Cui,Dominik Rys

DOI: https://doi.org/10.56553/popets-2023-0053

2023-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Voice over LTE (VoLTE) and Voice over NR (VoNR), are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.

English Else

Xin Wang,Xiaobo Ma,Jiahao Peng,Jianfeng Li,Lei Xue,Wenjun Hu,Li Feng

DOI: https://doi.org/10.1109/access.2021.3131503

IF: 3.9

2021-01-01

IEEE Access

Abstract:The emerging link flooding attacks (LFAs) are one type of attacks that attract significant attention in both academia and industry against the routing infrastructure. The attack traffic flows originating from bots (e.g., compromised IoT devices) are deliberately aggregated at upstream critical links and grow intensified, gradually making a network connected to the critical links disconnected. Although LFAs are far more sophisticated than traditional DDoS attacks, whether such sophistication comes without a downside has never been investigated. In this paper, by modeling link flooding attacks and defenses, we tackle a series of questions concerning the practical issues of LFAs. Specifically, from the perspective of attacks, we advance a novel notion of strike precision, and reveal that LFAs may exhibit attack interference (i.e., unexpectedly interfere the connectivity of innocent networks) which might undermine the stealthiness and persistence of LFAs. From the perspective of defenses, we make the first step to study attack intention, i.e., inversely inferring the target network to disconnect based on the identified links under attack. Furthermore, we consider a strong defender who employs traffic engineering to mitigate LFAs, and formulate the game-theoretic interactions between attackers and defenders. The experiment results show that attack interference is pervasive, and our proposed SPAH flooding strategy can substantially lower attack interference and increase strike precision. Moreover, we demonstrate that LFAs can be effectively mitigated based on traffic engineering from a game-theoretic perspective, wherein the defender can adopt non-cooperative measurement techniques to achieve light-weight and multi-protocol-based robust probe deployment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

DOI: https://doi.org/10.1109/tifs.2018.2815555

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usages since they require modifying routers. In this paper, we propose LinkScope, a novel system that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then correlate the performance data and traceroute data to infer the target links or areas. Although the idea is simple, we tackle a number of challenging issues, such as conducting large-scale Internet measurement through noncooperative measurement, assessing the performance on asymmetric Internet paths, and detecting LFA. We have implemented LinkScope with 7174 lines of C codes and the extensive evaluation in a testbed and the Internet show that LinkScope can quickly detect LFA with high accuracy and low false positive rate.

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

2018-01-01

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usage since they require either additional modules to enhance routers or using the software-defined network (SDN) to replace the traditional routers. In this paper, we propose a novel framework that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then locate the target links or areas whenever possible, and develop a prototype of the framework named LinkScope. Although using network measurement to capture network anomaly is not new, we tackle a number of challenging issues, such as conducting large-scale Internet path monitoring via non-cooperative measurement so that users do not need to install LinkScope on every host, profiling the performance of asymmetric Internet paths, and detecting LFA. The extensive evaluation in a testbed and the Internet shows that with limited bandwidth and computational overhead LinkScope can achieve timely detection and diagnosis of LFA with high detection rate and low false positive rate.